Klue Supply Chain Attack Compromises Salesforce Data of Cybersecurity Firms Huntress and Recorded Future
A supply chain attack on competitive intelligence platform Klue has compromised Salesforce instances belonging to its customers, including cybersecurity firms Huntress and Recorded Future, with data exfiltration attributed to the emerging Icarus extortion group.
A supply chain attack targeting Klue, a competitive intelligence platform, has compromised Salesforce instances belonging to its customers, including cybersecurity firms Huntress and Recorded Future. The attackers exfiltrated customer relationship management (CRM) data from the affected Salesforce environments, highlighting the cascading risk of supply-chain compromises when third-party platforms hold privileged integrations with security vendors.
The attack began on June 11 and affected systems associated with software platform integrations. The hackers connected to Klue’s backend servers and executed unauthorized commands, pushing a code update to harvest OAuth tokens for customers’ Klue integrations. Klue notified customers of the incident on June 12, warning that it had deactivated OAuth tokens for all customers and disabled integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack.
According to ReliaQuest, the hackers abused the Salesforce REST API to exfiltrate large volumes of CRM data over a 24-hour window, “including a concentrated burst of nearly a thousand queries in 15 minutes and sustained extraction windows lasting over 6 hours”. On June 17, Salesforce disabled the Klue Battlecards app integration, warning that it “detected unusual activity involving the app that may have resulted in unauthorized access to a subset of customer data via the app’s connection to Salesforce”.
On Thursday, both Huntress and Recorded Future confirmed that they were among the companies affected by the supply chain attack. “The data that was copied from our Salesforce account includes business contacts, price quotes, and other sales-related data and messaging. No threat data, passwords, payment card information, or engineering data relating to the Huntress agent or telemetry we collect was affected,” Huntress said. Recorded Future noted, “While our investigation is ongoing, we believe the impact was limited to business data fields stored in our Salesforce database, such as client contact names and email addresses. Certain business contract information may also have been potentially included in the impacted data.”
The incident was limited to the Klue-Salesforce integration and the attackers did not access any systems belonging to or maintained by the two cybersecurity firms. Huntress noted that several other cybersecurity companies use Klue, but no other firm appears to have publicly disclosed impact from the attack. The attack follows the same pattern observed in previous Salesforce, Salesloft Drift, and Gainsight incidents, which have been attributed to ShinyHunters and UNC6395, but appears to have been mounted by a new threat actor.
Huntress said it received attempted extortion communication from a threat actor calling itself “Mr Brean”, who pointed to a Session Messenger ID associated with Icarus, an extortion group that emerged in April 2026. Icarus’ leak site has one entry from early May, with the data allegedly stolen from the victim already published (albeit no longer available), and another from June 16, which points to data stolen from Salesforce. “With those matching data points, we have high confidence that the Icarus actor is responsible for the Klue compromise and this supply chain attack,” Huntress says.
While it has shared details of the attack with its customers, Klue has not made a public announcement on the matter. SecurityWeek has emailed the company for a statement and will update this article if it responds. The incident underscores the growing threat of supply chain attacks targeting SaaS integrations, where a single compromised third-party platform can expose sensitive data across multiple high-value organizations, including those in the cybersecurity sector itself.
Salesforce has now disabled the Klue Battlecards app integration entirely, blocking new connections until further notice, after detecting unusual activity that may have allowed unauthorized access to a subset of customer data via the app's OAuth tokens. ReliaQuest's analysis reveals the Icarus actor used compromised legacy credentials to obtain OAuth tokens, then ran automated Python scripts that enumerated Salesforce object catalogs and bulk-queried CRM records for up to 24 hours, including a burst of nearly a thousand queries in 15 minutes. Huntress confirmed that some employees received extortion emails threatening data exposure, while Klue stated the incident was limited to third-party platforms and did not affect customer content stored within its own platform.
Huntress published a detailed account on June 18, describing the incident as a 'security domino effect' where a single compromised Klue integration credential cascaded into theft of customer data across connected platforms, including Salesforce. The attack timeline and technical details provided by Huntress offer new insight into how the Icarus group exploited the OAuth breach to exfiltrate data from multiple organizations.